Tumblr May Have Waited Weeks to Fix iOS Flaw

On Monday, the blogging platform Tumblr fixed a security flaw in its app for iPhones and iPads — a vulnerability that put users’ accounts at risk by transmitting user names and passwords in plain text.

However, the IT staffer who found the flaw says Tumblr initially ignored his information and only fixed the vulnerability after a tech blog contacted Tumblr for comment two weeks later.

The company’s negligence suggests that millions of Tumblr iOS users were exposed to attacks and account hijacks for two weeks after Tumblr was alerted to the bug. (The Tumblr app for Android is not affected.)

“Yesterday, Tumblr was notified of a security vulnerability introduced in our iOS app,” a Tumblr spokeswoman told TechNewsDaily via email. “We immediately released an update that repairs the issue and are notifying affected users. We obviously take these incidents very seriously and deeply regret this error.”

When logging into Tumblr from a Mac, PC or Android device, the user’s login credentials are sent using an encrypted connection and, therefore, cannot be “sniffed” by an identity thief or hacker using commonly available software.

However, until last night, a user of the Tumblr iOS app would have his or her username and password sent in plain text, readable to anyone else on the same network.

“If you ever logged into Tumblr from your iPhone or iPad in, say, a cafe, a hotel lobby or an airport lounge, then your password could have been compromised,” British independent security consultant Graham Cluley wrote on his blog yesterday.

“I was asked to investigate various iOS apps at work to see if they are suitable for company use,” The Register‘s source said, explaining how he encountered the flaw. “The Tumblr iOS app is sending the password over plain text and not over SSL [a secure protocol] … We are not talking about password reminders, but about just opening the app and logging in through the iOS app.”

In a follow-up story, the man — whom The Register did not name, said he informed Tumblr of the flaw two weeks ago, but received only an assurance that Tumblr would adjust its terms of service to better reflect what the iOS app actually did.

After Tumblr failed to patch the app, the IT worker contacted the Register, which yesterday contacted Tumblr and its parent company, Yahoo, for comment.

By Monday’s end, Tumblr posted an official message that it had “just released a very important security update for [its] iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances.”

Tumblr also urged users of those apps to update passwords on Tumblr and on any other site where they used the same passwords. The posting did not acknowledge The Register or its tipper for bringing the security concern to Tumblr’s attention.